bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity
Files
14d89ba49d34667a49c40fd0022f65f9d4145e1d
bluejay-infra/apps-gx10/fc-devicemgmt/README.md

2.9 KiB
Raw Blame History

FlowerCore DeviceManagement on GX10

This adopted GX10 app hosts FlowerCore.DeviceManagement.Web at https://devices.iamworkin.lan.

Apple MDM Runtime Contract

Apple MDM is enabled in NanoHUB mode, but enrollment remains unavailable until the runtime secret contains real Apple-side material. Do not use placeholder values to clear readiness checks.

Secret/fc-devicemgmt-runtime supports these Apple MDM keys:

Key Purpose
DEVICE_MANAGEMENT_OPERATOR_API_KEY Required operator API key for authenticated REST/MCP write operations, including Android command queueing.
DEVICE_MANAGEMENT_ADMIN_API_KEY Required admin API key for privileged DeviceManagement operations.
DEVICE_MANAGEMENT_AGENT_API_KEY Required scoped agent credential for REST agent callbacks when TLS terminates before Kestrel; maps to Auth:AgentApiKey and FlowerCore:Auth:AgentApiKey.
NANOHUB_API_KEY NanoHUB API password for HTTP Basic user nanohub.
APPLE_MDM_APNS_TOPIC MDM APNs topic returned after uploading the Apple MDM push certificate to NanoHUB/NanoMDM.
APPLE_MDM_SCEP_URL Live SCEP URL included in the enrollment profile.
APPLE_MDM_SCEP_CHALLENGE SCEP challenge shared with the SCEP provisioner.
APPLE_MDM_PROFILE_SIGNING_CERTIFICATE_PEM PEM certificate used to CMS-sign .mobileconfig profiles.
APPLE_MDM_PROFILE_SIGNING_PRIVATE_KEY_PEM PEM private key matching the profile-signing certificate.
APPLE_MDM_REQUIRE_MANAGED_WIFI_PAYLOAD Set to true only when Wi-Fi payload delivery should gate enrollment readiness.
APPLE_MDM_MANAGED_WIFI_SSID Managed Wi-Fi SSID for the iPad profile.
APPLE_MDM_MANAGED_WIFI_PASSWORD Managed Wi-Fi password when the network is not open.

Non-secret profile constants stay in GitOps: NanoHUB base URL, MDM server URL, check-in URL, organization/display names, the HTTPS trust anchor certificate, managed Wi-Fi encryption type, auto-join, and MAC-randomization disablement.

DeviceManagement auth is enabled on GX10. The deployment maps DEVICE_MANAGEMENT_OPERATOR_API_KEY to both Auth__ApiKey and FlowerCore__Auth__ApiKey; the unprefixed key keeps the MCP API key post-config path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog, and command-result callbacks use the agent-specific authorization boundary: the server validates a device client certificate when Kestrel receives one, and also accepts only the scoped DEVICE_MANAGEMENT_AGENT_API_KEY via Authorization: Bearer or X-Agent-Api-Key when TLS is terminated before the app. Operator write endpoints must use X-Api-Key.

Readiness Check

After changing the runtime secret and letting the pod roll, verify:

curl -sk https://devices.iamworkin.lan/api/v1/apple-mdm/enrollment-profile/status

Configurator enrollment must wait until this status reports available=true and an empty missingRequirements array.

Reference in New Issue View Git Blame Copy Permalink